Documentation update

- Build distroless from scratch
- Static linking with NOSTDRESOLVE for minimal
- SSLPlugin is supported in full, including chroot configuration
- No need to specify full path for plugins

chroot provides no additional security due to distroless, but is still supported for compatiblity reasons. Plugins, including SSL should work in chroot configuration. --read-only is recommended, no tmp directories are required.

Dockerfile.full

@@ -1,56 +1,66 @@
 # 3proxy.full is fully functional 3proxy build based on busybox:glibc
 #
+# Example are for podman, for docker change 'podman' to 'docker'
+#
 #to  build:
-# docker build -f Dockerfile.full -t 3proxy.full .
+# podman build -f Dockerfile.full -t 3proxy.full .
 #to run:
-# by default 3proxy uses safe chroot environment with chroot to /usr/local/3proxy with uid/gid 65535/65535 and expects
-# configuration file to be placed in /usr/local/etc/3proxy.
-# Paths in configuration file must be relative to /usr/local/3proxy, that is use /logs instead of 
-# /usr/local/3proxy/logs. nserver in chroot is required for DNS resolution. An example:
 #
 # echo nserver 8.8.8.8 >/path/to/local/config/directory/3proxy.cfg
 # echo proxy -p3129 >>/path/to/local/config/directory/3proxy.cfg
-# docker run -p 3129:3129 -v /path/to/local/config/directory:/usr/local/3proxy/conf -name 3proxy.full 3proxy.full
-#
-# /path/to/local/config/directory in this example must conrain 3proxy.cfg
-# if you need 3proxy to be executed without chroot with root permissions
-# replace /etc/3proxy/3proxy.cfg by e.g. mounting config
-# dir to /etc/3proxy ot by providing config file /etc/3proxy/3proxy.cfg
-# some plugins like SSLPLugin / pamauth also conflict with chroot and must
-# be started prior to chroot.
-# docker run -p 3129:3129 -v /path/to/local/config/directory:/etc/3proxy -name 3proxy.full 3proxy.full
+# podman run --read-only -p 3129:3129 -v /path/to/local/config/directory:/etc/3proxy -name 3proxy.full 3proxy.full
 #
 # use "log" without pathname in config to log to stdout.
-# plugins are located in /usr/local/3proxy/libexec (/libexec for chroot config).
+# plugins are located in /usr/local/3proxy/libexec (/libexec for chroot config)
+# symlinked as /lib and /lib64 in both root and chroot configurations, so no need
+# to specify full path to plugin. SSLPlugin is supported.
+#
+# Since 0.9.6 image is distroless, no reason to use chroot, chroot
+# configuration is supported for compatility only.
 
 
-FROM gcc AS buildenv
+FROM docker.io/gcc AS buildenv
 COPY . 3proxy
 RUN cd 3proxy &&\
- apt update && apt install libssl-dev libpam-dev libpcre2-dev &&\
+ apt --assume-yes update && apt --assume-yes install libssl-dev libpcre2-dev &&\
  make -f Makefile.Linux &&\
  strip bin/3proxy &&\
- strip bin/StringsPlugin.ld.so &&\
- strip bin/TrafficPlugin.ld.so &&\
- strip bin/PCREPlugin.ld.so &&\
- strip bin/TransparentPlugin.ld.so &&\
- strip bin/SSLPlugin.ld.so &&\
- mkdir /usr/local/lib/3proxy &&\
- cp "/lib/`gcc -dumpmachine`"/libdl.so.* /usr/local/lib/3proxy/
+ mkdir /dist &&\
+ mkdir /dist/etc &&\
+ mkdir /dist/etc/3proxy &&\
+ mkdir /dist/bin &&\
+ mkdir /dist/usr &&\
+ mkdir /dist/usr/local &&\
+ mkdir /dist/usr/local/3proxy &&\
+ mkdir /dist/usr/local/3proxy/libexec &&\
+ mkdir /dist/usr/local/3proxy/conf &&\
+ cp bin/3proxy /dist/bin &&\
+ cp bin/*.so /dist/usr/local/3proxy/libexec &&\
+ cp scripts/3proxy.cfg.inchroot /dist/etc/3proxy/3proxy.cfg
+RUN cd /dist &&\
+ ln -s /usr/local/3proxy/libexec lib64 &&\
+ ln -s /usr/local/3proxy/libexec lib &&\
+ ln -s /usr/local/3proxy/libexec usr/lib &&\
+ ln -s /usr/local/3proxy/libexec usr/lib64 &&\
+ ln -s /usr/local/3proxy/libexec /dist/usr/local/3proxy/libexec/`gcc -dumpmachine` &&\
+ cp /lib64/ld-*.so.* /dist/usr/local/3proxy/libexec &&\
+ cp "/lib/`gcc -dumpmachine`"/libc.so.* /dist/usr/local/3proxy/libexec &&\
+ cp "/lib/`gcc -dumpmachine`"/libdl.so.* /dist/usr/local/3proxy/libexec &&\
+ cp "/lib/`gcc -dumpmachine`"/libcrypto.so.* /dist/usr/local/3proxy/libexec &&\
+ cp "/lib/`gcc -dumpmachine`"/libssl.so.* /dist/usr/local/3proxy/libexec &&\
+ cp "/lib/`gcc -dumpmachine`"/libpcre2-8.so.* /dist/usr/local/3proxy/libexec &&\
+ cp "/lib/`gcc -dumpmachine`"/libz.so.* /dist/usr/local/3proxy/libexec &&\
+ cp "/lib/`gcc -dumpmachine`"/libzstd.so.* /dist/usr/local/3proxy/libexec
+RUN cd /dist/usr/local/3proxy/ &&\
+ ln -s libexec lib &&\
+ ln -s libexec lib64 &&\
+ mkdir usr
+RUN cd /dist/usr/local/3proxy/usr &&\
+ ln -s ../libexec lib &&\
+ ln -s ../libexec lib64 &&\
+ strip /dist/usr/local/3proxy/libexec/*.so &&\
+ ls -lR /dist
 
-FROM busybox:glibc
-COPY --from=buildenv /usr/local/lib/3proxy/libdl.so.* /lib/
-COPY --from=buildenv 3proxy/bin/3proxy /bin/
-COPY --from=buildenv 3proxy/bin/*.ld.so /usr/local/3proxy/libexec/
-RUN mkdir /usr/local/3proxy/logs &&\
- mkdir /usr/local/3proxy/conf &&\
- chown -R 65535:65535 /usr/local/3proxy &&\
- chmod -R 550  /usr/local/3proxy &&\
- chmod 750  /usr/local/3proxy/logs &&\
- chmod -R 555 /usr/local/3proxy/libexec &&\
- chown -R root /usr/local/3proxy/libexec &&\
- mkdir /etc/3proxy/ &&\
- echo chroot /usr/local/3proxy 65535 65535 >/etc/3proxy/3proxy.cfg &&\
- echo include /conf/3proxy.cfg >>/etc/3proxy/3proxy.cfg &&\
- chmod 440  /etc/3proxy/3proxy.cfg
+FROM scratch
+COPY --from=buildenv /dist /
 CMD ["/bin/3proxy", "/etc/3proxy/3proxy.cfg"]

Dockerfile.minimal

@@ -1,41 +1,38 @@
 # dockerfile for "interactive" minimal 3proxy execution, no configuration mounting is required, configuration
 # is accepted from stdin. Use "end" command to indicate the end of configuration. Use "log" for stdout logging.
 #
-# This is busybox based docker with only 3proxy static executable and empty non-writable "run" directory.
+# Examples are for podman. For docker change 'podman' to 'docker'.
 #
-# "plugin" is not supported
+# This is busybox based docker with only 3proxy static executable.
+#
+# Limitations for minimal version:
+# no support for plugins, IPv6, RADIUS, system resolver.
+# 'nserver' or 'fakeresolve' are mandatory in configuration.
 #
 # Build:
 #
-# docker build -f Dockerfile.minimal -t 3proxy.minimal .
+# podman build -f Dockerfile.minimal -t 3proxy.minimal .
 #
 # Run example:
 #
-# docker run -i -p 3129:3129 --name 3proxy 3proxy.minimal  
+# podman run --read-only -i -p 3129:3129 --name 3proxy 3proxy.minimal  
 #or
-# docker start -i 3proxy
-#<chroot run 65535 65535
+# podman start -ai 3proxy
 #<nserver 8.8.8.8
 #<nscache 65535
 #<log
 #<proxy -p3129
 #<end
 #
-# use "chroot run 65536 65536" in config for safe chroot environment. nserver is required for DNS resolutions in chroot.
 
-
-FROM gcc AS buildenv
+FROM docker.io/gcc AS buildenv
 COPY . 3proxy
 RUN cd 3proxy &&\
- echo "">>Makefile.Linux &&\
- echo LDFLAGS = -fPIC -O2 -fno-strict-aliasing -pthread >>Makefile.Linux &&\
- echo PLUGINS = >>Makefile.Linux &&\
- echo LIBS = >>Makefile.Linux &&\
- echo CFLAGS = -g  -fPIC -O2 -fno-strict-aliasing -c -pthread -DWITHSPLICE -D_GNU_SOURCE -DGETHOSTBYNAME_R -D_THREAD_SAFE -D_REENTRANT -DNOODBC -DWITH_STD_MALLOC -DFD_SETSIZE=4096 -DWITH_POLL -DWITH_NETFILTER -DNOPLUGINS >>Makefile.Linux &&\
- make -f Makefile.Linux &&\
+ export "LDFLAGS=-static" &&\
+ export "CFLAGS=-DNOPLUGINS -DNORADIUS -DNOIPV6 -DNOODBC -DNOCRYPT -DNOSTDRESOLVE" &&\
+ make -f Makefile.Linux PLUGINS= LIBS= &&\
  strip bin/3proxy
  
-FROM busybox:glibc
+FROM scratch
 COPY --from=buildenv 3proxy/bin/3proxy /bin/3proxy
-RUN mkdir /run && chmod 555 /run
 CMD ["/bin/3proxy"]

Makefile.FreeBSD

@@ -30,19 +30,19 @@ TYPECOMMAND = cat
 COMPATLIBS =
 MAKEFILE = Makefile.FreeBSD
 PLUGINS ?= StringsPlugin TrafficPlugin TransparentPlugin
-OPENSSL_CHECK = $(shell echo "\#include <openssl/ssl.h>\\n int main(){return 0;}" | tr -d \\\\ | cc -x c $(CFLAGS) $(LDFLAGS) -l crypto -l ssl -o testssl - 2>/dev/null && rm testssl && echo true||echo false)
+OPENSSL_CHECK = $(shell echo "\#include <openssl/ssl.h>\\n int main(){return 0;}" | tr -d \\\\ | $(CC) -x c $(CFLAGS) -o testssl.o - 2>/dev/null && $(CC) $(LDFLAGS) -otestssl testssl.o -lcrypto -lssl 2>/dev/null && rm testssl testssl.o && echo true||echo false)
 ifeq ($(OPENSSL_CHECK), true)
     LIBS += -l crypto -l ssl
     PLUGINS += SSLPlugin
 endif
-PAM_CHECK = $(shell echo "\#include <security/pam_appl.h>\\n int main(){return 0;}" | tr -d \\\\ | cc -x c $(CFLAGS) $(LDFLAGS) -l pam -o testpam - 2>/dev/null && rm testpam && echo true||echo false)
-ifeq ($(PAM_CHECK), true)
-    PLUGINS += PamAuth
-endif
-PCRE_CHECK = $(shell echo "\#define PCRE2_CODE_UNIT_WIDTH 8\\n\#include <pcre2.h>\\n int main(){return 0;}" | tr -d \\\\ | cc -x c $(CFLAGS) $(LDFLAGS) -l pcre2-8 -o testpcre - 2>/dev/null && rm testpcre && echo true||echo false)
+PCRE_CHECK = $(shell echo "\#define PCRE2_CODE_UNIT_WIDTH 8\\n\#include <pcre2.h>\\n int main(){return 0;}" | tr -d \\\\ | $(CC) -x c $(CFLAGS) -o testpcre.o - 2>/dev/null && $(CC) -o testpcre testpcre.o $(LDFLAGS) -lpcre2-8 2>/dev/null && rm testpcre testpcre.o && echo true||echo false)
 ifeq ($(PCRE_CHECK), true)
     PLUGINS += PCREPlugin
 endif
+PAM_CHECK = $(shell echo "\#include <security/pam_appl.h>\\n int main(){return 0;}" | tr -d \\\\ | $(CC) -x c $(CFLAGS) -o testpam.o - 2>/dev/null && $(CC) $(LDFLAGS) -o testpam testpam.o -lpam 2>/dev/null && rm testpam testpam.o && echo true||echo false)
+ifeq ($(PAM_CHECK), true)
+    PLUGINS += PamAuth
+endif
 
 include Makefile.inc
 

Makefile.Linux

@@ -33,16 +33,16 @@ MAKEFILE = Makefile.Linux
 LIBS ?= -ldl 
 #PLUGINS = SSLPlugin StringsPlugin TrafficPlugin PCREPlugin TransparentPlugin PamAuth
 PLUGINS ?= StringsPlugin TrafficPlugin TransparentPlugin
-OPENSSL_CHECK = $(shell echo "\#include <openssl/ssl.h>\\n int main(){return 0;}" | tr -d \\\\ | cc -x c $(CFLAGS) $(LDFLAGS) -l crypto -l ssl -o testssl - 2>/dev/null && rm testssl && echo true||echo false)
+OPENSSL_CHECK = $(shell echo "\#include <openssl/ssl.h>\\n int main(){return 0;}" | tr -d \\\\ | $(CC) -x c $(CFLAGS) -o testssl.o - 2>/dev/null && $(CC) $(LDFLAGS) -otestssl testssl.o -lcrypto -lssl 2>/dev/null && rm testssl testssl.o && echo true||echo false)
 ifeq ($(OPENSSL_CHECK), true)
     LIBS += -l crypto -l ssl
     PLUGINS += SSLPlugin
 endif
-PCRE_CHECK = $(shell echo "\#define PCRE2_CODE_UNIT_WIDTH 8\\n\#include <pcre2.h>\\n int main(){return 0;}" | tr -d \\\\ | cc -x c $(CFLAGS) $(LDFLAGS) -l pcre2-8 -o testpcre - 2>/dev/null && rm testpcre && echo true||echo false)
+PCRE_CHECK = $(shell echo "\#define PCRE2_CODE_UNIT_WIDTH 8\\n\#include <pcre2.h>\\n int main(){return 0;}" | tr -d \\\\ | $(CC) -x c $(CFLAGS) -o testpcre.o - 2>/dev/null && $(CC) -o testpcre testpcre.o $(LDFLAGS) -lpcre2-8 2>/dev/null && rm testpcre testpcre.o && echo true||echo false)
 ifeq ($(PCRE_CHECK), true)
     PLUGINS += PCREPlugin
 endif
-PAM_CHECK = $(shell echo "\#include <security/pam_appl.h>\\n int main(){return 0;}" | tr -d \\\\ | cc -x c $(CFLAGS) $(LDFLAGS) -l pam -o testpam - 2>/dev/null && rm testpam && echo true||echo false)
+PAM_CHECK = $(shell echo "\#include <security/pam_appl.h>\\n int main(){return 0;}" | tr -d \\\\ | $(CC) -x c $(CFLAGS) -o testpam.o - 2>/dev/null && $(CC) $(LDFLAGS) -o testpam testpam.o -lpam 2>/dev/null && rm testpam testpam.o && echo true||echo false)
 ifeq ($(PAM_CHECK), true)
     PLUGINS += PamAuth
 endif

Makefile.unix

@@ -32,19 +32,20 @@ TYPECOMMAND = cat
 COMPATLIBS =
 MAKEFILE = Makefile.unix
 PLUGINS ?= StringsPlugin TrafficPlugin TransparentPlugin
-OPENSSL_CHECK = $(shell echo "\#include <openssl/ssl.h>\\n int main(){return 0;}" | tr -d \\\\ | cc -x c $(CFLAGS) $(LDFLAGS) -l crypto -l ssl -o testssl - 2>/dev/null && rm testssl && echo true||echo false)
+OPENSSL_CHECK = $(shell echo "\#include <openssl/ssl.h>\\n int main(){return 0;}" | tr -d \\\\ | $(CC) -x c $(CFLAGS) -o testssl.o - 2>/dev/null && $(CC) $(LDFLAGS) -otestssl testssl.o -lcrypto -lssl 2>/dev/null && rm testssl testssl.o && echo true||echo false)
 ifeq ($(OPENSSL_CHECK), true)
     LIBS += -l crypto -l ssl
     PLUGINS += SSLPlugin
 endif
-PAM_CHECK = $(shell echo "\#include <security/pam_appl.h>\\n int main(){return 0;}" | tr -d \\\\ | cc -x c $(CFLAGS) $(LDFLAGS) -l pam -o testpam - 2>/dev/null && rm testpam && echo true||echo false)
-ifeq ($(PAM_CHECK), true)
-    PLUGINS += PamAuth
-endif
-PCRE_CHECK = $(shell echo "\#define PCRE2_CODE_UNIT_WIDTH 8\\n\#include <pcre2.h>\\n int main(){return 0;}" | tr -d \\\\ | cc -x c $(CFLAGS) $(LDFLAGS) -l pcre2-8 -o testpcre - 2>/dev/null && rm testpcre && echo true||echo false)
+PCRE_CHECK = $(shell echo "\#define PCRE2_CODE_UNIT_WIDTH 8\\n\#include <pcre2.h>\\n int main(){return 0;}" | tr -d \\\\ | $(CC) -x c $(CFLAGS) -o testpcre.o - 2>/dev/null && $(CC) -o testpcre testpcre.o $(LDFLAGS) -lpcre2-8 2>/dev/null && rm testpcre testpcre.o && echo true||echo false)
 ifeq ($(PCRE_CHECK), true)
     PLUGINS += PCREPlugin
 endif
+PAM_CHECK = $(shell echo "\#include <security/pam_appl.h>\\n int main(){return 0;}" | tr -d \\\\ | $(CC) -x c $(CFLAGS) -o testpam.o - 2>/dev/null && $(CC) $(LDFLAGS) -o testpam testpam.o -lpam 2>/dev/null && rm testpam testpam.o && echo true||echo false)
+ifeq ($(PAM_CHECK), true)
+    PLUGINS += PamAuth
+endif
+
 include Makefile.inc
 
 install: all

RELEASE

@@ -1 +1 @@
-0.9.5
+0.9.6

debian/changelog

@@ -1,3 +1,9 @@
+3proxy (0.9.6-1) buster; urgency=medium
+
+  *3proxy 0.9.6 initial build
+
+ -- z3APA3A <3apa3a@3proxy.org>  Sat, 11 Apr 2026 13:03:32 +0300
+
 3proxy (0.9.5-1) buster; urgency=medium
 
   *3proxy 0.9.5 initial build

doc/html/howtoe.html

@@ -49,6 +49,8 @@
 		<li><a href="#NSCACHING">How to configure name resolution and DNS caching</a>
 		<li><a href="#IPV6">How to use IPv6</a>
 		<li><a href="#CONNBACK">How to use connect back</a>
+		<li><a href="#HAPROXY">How to use HAProxy PROXY protocol</a>
+		<li><a href="#MAXSEG">How to set TCP maximum segment size (MSS)</a>
 	</ul>
 	<li><A HREF="#CLIENT">Client configuration</A>
 	<li><A HREF="#ADMIN">Administering and information analysis</A>
@@ -1278,6 +1280,53 @@ allowed traffic in megabytes (MB). nocountin allows you to set exclusions.
   allow * * 1.1.1.1
   tcppm -R0.0.0.0:1234 3128 1.1.1.1 3128</pre>
   For browser settings, the proxy is host.dyndns.example.org:3128.
+  </p>
+  <li><a name="HAPROXY"><i>How to use HAProxy PROXY protocol</i></a>
+  <p>
+  3proxy supports HAProxy PROXY protocol v1 for both receiving and sending client
+  IP information. This is useful when 3proxy is behind a load balancer or when
+  passing client information to a parent proxy.
+  </p>
+  <p>
+  <b>Receiving PROXY protocol header:</b>
+  <br>Use the <code>-H</code> option to make 3proxy expect a PROXY protocol v1 header
+  on incoming connections. This allows 3proxy to receive the real client IP address
+  from HAProxy or another load balancer:
+  </p><pre>
+proxy -H -p3128
+socks -H -p1080
+</pre>
+  <p>
+  The PROXY protocol header must be sent before any protocol-specific data.
+  </p>
+  <p>
+  <b>Sending PROXY protocol header to parent proxy:</b>
+  <br>Use the <code>ha</code> parent type to send a PROXY protocol v1 header to
+  the parent proxy. This must be the last parent in the chain:
+  </p><pre>
+allow *
+parent 1000 ha
+parent 1000 socks5 parent.example.com 1080
+socks
+</pre>
+  <p>
+  This configuration sends the client IP information to the SOCKS5 parent proxy
+  via the PROXY protocol.
+  </p>
+  <li><a name="MAXSEG"><i>How to set TCP maximum segment size (MSS)</i></a>
+  <p>
+  Use the <code>maxseg</code> command to set the TCP maximum segment size (MSS)
+  for outgoing connections. This can be useful to work around path MTU discovery
+  issues or to optimize traffic for specific network conditions:
+  </p><pre>
+maxseg 1400
+proxy -p3128 -OcTCP_NODELAY,TCP_MAXSEG -OsTCP_NODELAY,TCP_MAXSEG
+</pre>
+  <p>
+  The value is specified in bytes. This setting uses the TCP_MAXSEG socket option
+  and may not be supported on all platforms. A typical use case is to reduce MSS
+  to avoid fragmentation in VPN tunnels or to work around MTU issues with certain
+  network paths.
   </p>
 	</ul>
 

doc/html/howtor.html

@@ -48,6 +48,8 @@
     <li><a href="#NSCACHING">Как управлять разрешением имен и кэшированием DNS</a>
     <li><a href="#IPV6">Как использовать IPv6</a>
     <li><a href="#CONNBACK">Как использовать connect back</a>
+    <li><a href="#HAPROXY">Как использовать протокол HAProxy PROXY</a>
+    <li><a href="#MAXSEG">Как установить максимальный размер сегмента TCP (MSS)</a>
   </ul>
   <li><a href="#CLIENT">Конфигурация и настройка клиентов</a>
   <ul>
@@ -1336,6 +1338,54 @@ openssl pkcs12 -export -out client.p12 -passout pass: \
   tcppm -R0.0.0.0:1234 3128 1.1.1.1 3128</pre>
   В настройках браузера указывается host.dyndns.example.org:3128.
   </p>
+  <li><a name="HAPROXY"><i>Как использовать протокол HAProxy PROXY</i></a>
+  <p>
+  3proxy поддерживает протокол HAProxy PROXY v1 как для приёма, так и для
+  отправки информации об IP-адресе клиента. Это полезно, когда 3proxy находится
+  за балансировщиком нагрузки или при передаче информации о клиенте родительскому прокси.
+  </p>
+  <p>
+  <b>Приём заголовка PROXY протокола:</b>
+  <br>Используйте опцию <code>-H</code>, чтобы 3proxy ожидал заголовок PROXY протокола v1
+  на входящих соединениях. Это позволяет 3proxy получать реальный IP-адрес клиента
+  от HAProxy или другого балансировщика нагрузки:
+  </p><pre>
+proxy -H -p3128
+socks -H -p1080
+</pre>
+  <p>
+  Заголовок PROXY протокола должен быть отправлен до любых протокольных данных.
+  </p>
+  <p>
+  <b>Отправка заголовка PROXY протокола родительскому прокси:</b>
+  <br>Используйте тип родительского прокси <code>ha</code> для отправки заголовка
+  PROXY протокола v1 родительскому прокси. Это должен быть последний родитель в цепочке:
+  </p><pre>
+allow *
+parent 1000 ha
+parent 1000 socks5 parent.example.com 1080
+socks
+</pre>
+  <p>
+  Эта конфигурация отправляет информацию об IP-адресе клиента SOCKS5 родительскому
+  прокси через PROXY протокол.
+  </p>
+  <li><a name="MAXSEG"><i>Как установить максимальный размер сегмента TCP (MSS)</i></a>
+  <p>
+  Используйте команду <code>maxseg</code> для установки максимального размера
+  сегмента TCP (MSS) для исходящих соединений. Это может быть полезно для обхода
+  проблем с Path MTU Discovery или для оптимизации трафика в специфических
+  сетевых условиях:
+  </p><pre>
+maxseg 1400
+proxy -p3128 -OcTCP_NODELAY,TCP_MAXSEG -OsTCP_NODELAY,TCP_MAXSEG
+</pre>
+  <p>
+  Значение указывается в байтах. Эта настройка использует опцию сокета TCP_MAXSEG
+  и может не поддерживаться на всех платформах. Типичный случай использования -
+  уменьшение MSS для избежания фрагментации в VPN туннелях или для обхода проблем
+  с MTU на определённых сетевых путях.
+  </p>
 </ul>
 <hr>
 <li><a name="CLIENT"><b>Конфигурация клиентов</b></a>

doc/html/man3/3proxy.cfg.3.html

@@ -176,7 +176,12 @@ accepted. <b><br>
 -N</b> (for socks) External NAT address 3proxy reports to
 client for BIND and UDPASSOC By default external address is
 reported. It&rsquo;s only useful in the case of IP-IP NAT
-(will not work for PAT) <br>
+(will not work for PAT) <b><br>
+-H</b> (for all services) Expect HAProxy PROXY protocol v1
+header on incoming connection. This allows the proxy to
+receive real client IP address from HAProxy or other load
+balancer that supports the PROXY protocol. The header must
+be sent before any protocol-specific data. <br>
 Also, all options mentioned for <b>proxy</b>(8)
 <b>socks</b>(8) <b>pop3p</b>(8) <b>tcppm</b>(8)
 <b>udppm</b>(8) <b>ftppr</b>(8) <br>
@@ -677,6 +682,10 @@ useful). Never use this option unless you know exactly you
 need it. <br>
 admin redirect request to local &acute;admin&acute; service
 (with -s parameter). <br>
+ha send HAProxy PROXY protocol v1 header to parent proxy.
+Must be the last in the proxy chain. Useful for passing
+client IP information to the parent proxy. Example: parent
+1000 ha <br>
 Use &quot;+&quot; proxy only with &quot;fakeresolve&quot;
 option</p>
 

man/3proxy.cfg.3

@@ -186,6 +186,12 @@ By default, connections to any interface are accepted.
 (for socks) External NAT address 3proxy reports to client for BIND and UDPASSOC
 By default external address is reported. It's only useful in the case
 of IP-IP NAT (will not work for PAT)
+.br
+.B -H
+(for all services) Expect HAProxy PROXY protocol v1 header on incoming connection.
+This allows the proxy to receive real client IP address from HAProxy or other
+load balancer that supports the PROXY protocol. The header must be sent before
+any protocol-specific data.
 .br
  Also, all options mentioned for 
 .BR proxy (8)
@@ -776,6 +782,10 @@ unless you know exactly you need it.
 .br
  admin redirect request to local \'admin\' service (with -s parameter).
 .br
+ha send HAProxy PROXY protocol v1 header to parent proxy. Must be the last
+in the proxy chain. Useful for passing client IP information to the parent proxy.
+Example: parent 1000 ha
+.br
 Use "+" proxy only with "fakeresolve" option
 .br
 

scripts/rh/3proxy.spec

@@ -1,5 +1,5 @@
 Name:           3proxy
-Version:        0.9.5
+Version:        0.9.6
 Release:        1%{?dist}
 Summary:        3proxy tiny proxy server
 License:        GPL/LGPL/Apache/BSD

src/common.c

@@ -641,7 +641,7 @@ pthread_mutex_t gethostbyname_mutex;
 int ghbn_init = 0;
 #endif
 
-
+#ifndef NOSTDRESOLVE
 #ifdef GETHOSTBYNAME_R
 struct hostent * my_gethostbyname(char *name, char *buf, struct hostent *hp){
 	struct hostent *result;
@@ -656,6 +656,7 @@ struct hostent * my_gethostbyname(char *name, char *buf, struct hostent *hp){
 #endif
 }
 #endif
+#endif
 
 #ifdef NOIPV6
 uint32_t getip(unsigned char *name){
@@ -689,6 +690,7 @@ uint32_t getip(unsigned char *name){
 		if(conf.demanddialprog) system(conf.demanddialprog);
 		return (*tmpresolv)(AF_INET, name, (unsigned char *)&retval)?retval:0;
 	}
+#ifndef NOSTDRESOLVE
 #if !defined(_WIN32) && !defined(GETHOSTBYNAME_R)
 	if(!ghbn_init){
 		pthread_mutex_init(&gethostbyname_mutex, NULL);
@@ -707,6 +709,9 @@ uint32_t getip(unsigned char *name){
 #endif
 #ifdef GETHOSTBYNAME_R
 #undef gethostbyname
+#endif
+#else
+	retval=0;
 #endif
 	return retval;
 }

src/conf.c

@@ -1480,9 +1480,15 @@ static int h_plugin(int argc, unsigned char **argv){
 #else	
 	void *hi, *fp;
 	hi = dlopen((char *)argv[1], RTLD_LAZY);
-	if(!hi) return 1;
+	if(!hi) {
+	    fprintf(stderr, "%s", dlerror());
+	    return 1;
+	}
 	fp = dlsym(hi, (char *)argv[2]);
-	if(!fp) return 2;
+	if(!fp) {
+	    fprintf(stderr, "%s", dlerror());
+	    return 2;
+	}
 	return (*(PLUGINFUNC)fp)(&pluginlink, argc - 2, (char **)argv + 2);
 #endif
 #endif
@@ -1839,7 +1845,6 @@ void freeconf(struct extparam *confp){
  struct ace *acl;
  struct filemon *fm;
  int counterd, archiverc;
- unsigned char *logname, *logtarget;
  unsigned char **archiver;
  unsigned char * logformat;
 
@@ -1876,12 +1881,6 @@ void freeconf(struct extparam *confp){
  pthread_mutex_unlock(&pwl_mutex);
 
 
-/*
- logtarget = confp->logtarget;
- confp->logtarget = NULL;
- logname = confp->logname;
- confp->logname = NULL;
-*/
  confp->logfunc = lognone;
  logformat = confp->logformat;
  confp->logformat = NULL;
@@ -1936,14 +1935,6 @@ void freeconf(struct extparam *confp){
  for(; fm; fm = (struct filemon *)itfree(fm, fm->next)){
 	if(fm->path) myfree(fm->path);
  }
-/*
- if(logtarget) {
-	myfree(logtarget);
- }
- if(logname) {
-	myfree(logname);
- }
-*/
  if(logformat) {
 	myfree(logformat);
  }

src/version.h

@@ -1,14 +1,14 @@
 #ifndef VERSION
-#define VERSION "3proxy-0.9.5"
+#define VERSION "3proxy-0.9.6"
 #endif
 #ifndef BUILDDATE
 #define BUILDDATE ""
 #endif
 #define MAJOR3PROXY 0
 #define SUBMAJOR3PROXY 9
-#define MINOR3PROXY 5
+#define MINOR3PROXY 6
 #define SUBMINOR3PROXY 0
-#define RELEASE3PROXY "3proxy-0.9.5(" BUILDDATE ")\0"
+#define RELEASE3PROXY "3proxy-0.9.6(" BUILDDATE ")\0"
 #ifndef YEAR3PROXY
 #define YEAR3PROXY "2026"
 #endif